Re: [PATCH v3 09/10] KVM: nVMX: Switch to vmcs01 to set virtual APICv mode on-demand if L2 is active

[Chao Gao <chao.gao@intel.com>]

On Fri, Dec 05, 2025 at 03:19:12PM -0800, Sean Christopherson wrote:
>If L1's virtual APIC mode changes while L2 is active, e.g. because L1
>doesn't intercept writes to the APIC_BASE MSR and L2 changes the mode,
>temporarily load vmcs01 and do all of the necessary actions instead of
>deferring the update until the next nested VM-Exit.
>
>This will help in fixing yet more issues related to updates while L2 is
>active, e.g. KVM neglects to update vmcs02 MSR intercepts if vmcs01's MSR
>intercepts are modified while L2 is active.  Not updating x2APIC MSRs is
>benign because vmcs01's settings are not factored into vmcs02's bitmap, but
>deferring the x2APIC MSR updates would create a weird, inconsistent state.
>
>Signed-off-by: Sean Christopherson <seanjc@google.com>

Reviewed-by: Chao Gao <chao.gao@intel.com>

>@@ -6869,8 +6865,17 @@ void vmx_set_virtual_apic_mode(struct kvm_vcpu *vcpu)
> 			 * only do so if its physical address has changed, but
> 			 * the guest may have inserted a non-APIC mapping into
> 			 * the TLB while the APIC access page was disabled.
>+			 *
>+			 * If L2 is active, immediately flush L1's TLB instead
>+			 * of requesting a flush of the current TLB, because
>+			 * the current TLB context is L2's.
> 			 */
>-			kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
>+			if (!is_guest_mode(vcpu))
>+				kvm_make_request(KVM_REQ_TLB_FLUSH_CURRENT, vcpu);
>+			else if (!enable_ept)
>+				vpid_sync_context(to_vmx(vcpu)->vpid);

Nit: there's already a local "vmx" variable available. you can use it directly.